BLOG: A zero-day vulnerability is reported against Linux and Android, but the real risk lies in known issues that users have not yet patched

Some vulnerabilities have a bigger impact that others, and not every flaw that a researcher claims is critical represents an immediate risk to users.

Case in point: security firm Perception Point’s recent disclosure of the CVE-2016-0728 vulnerability. Perception Point alleges that the zero-day flaw exposes tens of millions of Linux devices, including Android phones to the risk of exploitation. As it turns out, the risk is not quite as pronounced as indicated, and there are significantly more pressing security issues that Android users should likely be concerned about.

At risk

The CVE-2016-0728 issue is a use-after-free memory corruption vulnerability that could potentially enable a local privilege escalation. Linux vendor Red Hat detailed in a customer note that the vulnerability requires a potential attacker to already have access to a system.

“The attacker must be able to run custom code on the account; in the most common configuration, this requires them to have a login and shell account on the target system,” Red Hat wrote.

The same day that Perception Point’s disclosure was made a patch to fix the issue was made to the upstream Linux kernel. There are no public reports of any Linux user or system being exploited by the issue.

Now looking at Android, which uses Linux at its core, the risk is small in Google’s view, and it has also already patched the mainline of Android’s open-source code. Adrian Ludwig, Google’s Android Security lead, emphasized in a Google+ post that the impact to Android devices is smaller than what Perception Point reported.

“We believe that no Nexus devices are vulnerable to exploitation by third-party applications,” Ludwig wrote. “Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third-party applications from reaching the affected code.”

SELinux (Security Enhanced Linux) provides additional access controls on system processes, which can limit the potential risk of privilege-escalation-related attack attempts. Going a step further, the CVE-2016-0728 vulnerability was introduced into the Linux 3.8 kernel, which was first released in February 2013.

“Many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions [are] not common on older Android devices,” Ludwig added.

Android vulnerability

So to recap: A Linux kernel privilege-escalation vulnerability was announced, an attacker would already need access to a system to exploit it and Android isn’t at much risk, thanks to SELinux. Oh, and there are patches out now, too.

Although CVE-2016-0728 might not be much of a risk, when it comes to Android, the much larger risk isn’t unknown zero-days, but rather known issues that users have not yet patched on their own devices. Somewhat, ironically, on the same day (Jan. 19) that Perception Point disclosed the Linux flaw, Duo Security reported that according to its own analysis, 90 percent of Android devices are running outdated operating systems.

Looking deeper into the numbers, Mike Hanley, program manager, Labs R&D, Duo Security, told eWEEKthat 32 percent of the Android devices his firm sees run a version of Android 4 or below, meaning they lack security mechanisms such as address space layout randomization, or ASLR, a key feature that makes the exploitation of Stagefright vulnerabilities more difficult. Stagefright vulnerabilities, first publicly revealed in July 2015, exposed hundreds of millions of Android users to risk.

Since September 2015, Google has patched 93 security vulnerabilities, including multiple Stagefright-related issues. Those patches have been made available to Google Nexus devices users, though other Android devices are not getting updates as fast. Hanley noted that security updates are currently landing faster on supported Nexus devices, and he hopes that it will lead to changes in how quickly security patches are deployed to users who are constrained by carrier and OEM testing requirements.

“Some OEMs have landed one or more rounds of Stagefright patches on their handsets though the time delay was significant,” Hanley said.

There are also countless millions of unsupported Android phones in use that won’t get any updates from OEMs or carriers that are also at risk from at least the 93 issues that Google has patched since September.

While news of the latest zero-day flaw against Linux is interesting, it is a seemingly trivial footnote in the context of the larger issue of known vulnerabilities for which user devices have not been patched. The truth is that the there are so many known vulnerabilities that an attacker can easily exploit that a zero-day isn’t nearly quite as interesting, regardless of how easy or hard it might be to execute.